Spring security Spring安全性(Java配置):对同一URL使用antmatchers和不同的HTTP方法
我试图限制一个角色对URL的访问权限,而另一个角色对同一URL的POST访问权限,如下所示Spring security Spring安全性(Java配置):对同一URL使用antmatchers和不同的HTTP方法,spring-security,Spring Security,我试图限制一个角色对URL的访问权限,而另一个角色对同一URL的POST访问权限,如下所示 @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception {
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("readuser").password("password").roles("USER", "READ").and()
.withUser("admin").password("password").roles("USER", "READ", "WRITE");
}
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().permitAll().and()
.logout().permitAll().and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/foo").hasRole("READ")
.antMatchers(HttpMethod.POST, "/api/foo").hasRole("WRITE")
.anyRequest().authenticated()
.and().csrf().disable()
.httpBasic();
当我尝试使用我的readuser帐户获取(或发布)时,我得到一个拒绝访问错误;但当我尝试使用管理员帐户时,两者都可以
但是,当我删除行.antMatchers(HttpMethod.POST,“/api/foo”).hasRole(“WRITE”)
时,我的readuser帐户可以通过GET请求正确地点击/api/foo
如何使Spring安全性同时允许这两种限制
更新-包括相关的spring安全调试日志信息
以下是尝试使用readuser时的相关日志:
************************************************************
Request received for GET '/api/foo?id=foo':
Request(GET //localhost:8089/api/foo?id=foo)@b4603eb
servletPath:/api/foo
pathInfo:null
headers:
Authorization: Basic cnVudXNlcjpwYXNzd29yZA==
Cookie: JSESSIONID=node0fe3b0i44a5sbpohi6jq6dkkw0.node0
Cache-Control: no-cache
Accept: */*
User-Agent: PostmanRuntime/3.0.11-hotfix.2
Connection: keep-alive
Postman-Token: 99a23213-6cf8-4686-9886-7f9c2de13c6f
Host: localhost:8089
Accept-Encoding: gzip, deflate
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
DefaultLoginPageGeneratingFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
.
.
.
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against 'GET'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against '/api/foo'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/foo?id=foo; Attributes: [hasRole('ROLE_WRITE')]
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a38eb23d: Principal: org.springframework.security.core.userdetails.User@5c7268d6: Username: readuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_READ,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_READ, ROLE_USER
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7b20c046, returned: -1
2017-05-08 11:31:27.819 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
.
.
.
2017-05-08 11:31:27.823 DEBUG 5812 --- [p1731685294-106] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
您使用了错误的
HttpMethod
类
返回一个字符串
,因此在Spring安全配置中使用而不是
通过该配置,Spring安全性检查URL模式GET
和/api/foo
(这两种模式都适用于所有HTTP方法),请参阅您的日志:
您必须使用,它返回一个
HttpMethod
对象。我刚刚用这个配置模拟了一个spring boot应用程序,似乎对我来说工作正常。我可以使用readuser点击GET
,但如预期的那样,对POST
的访问被拒绝。有了管理员,我两个都能打。控制器可能有问题?
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against 'GET'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against '/api/foo'